API Keys
Create, manage, and revoke API keys that AI agents use to authenticate with Skilder and access workspace tools.
You can manage keys from Workspace Settings or your Profile, depending on the key type.
Key Types
Skilder provides three types of API keys:
| Type | Prefix | Created From | Scope |
|---|---|---|---|
| Workspace Key | WSK_ | Workspace Settings > API Keys | Access to skills and tools within a workspace |
| User Key | USK_ | Profile > API Keys | Workspace access tied to a specific user identity |
| Runtime Key | RTK_ | System-generated | Used internally by runtime instances to authenticate with the platform |
Workspace Keys are best for shared agents and automated systems where individual user identity is not important.
User Keys are best when you need per-user audit trails or when the agent acts on behalf of a specific user.
Runtime Keys are managed automatically — you do not need to create or manage them manually.
Creating an API Key
Workspace Keys
- Click your avatar (top-right) > Workspace Settings.
- Select the API Keys tab.
- Click Generate New Key.
- Enter a description and click Create.
- Copy the key immediately — it starts with
WSK_and is shown only once.
User Keys
- Click your avatar (top-right) > Profile.
- Select the API Keys tab.
- Click Generate New Key.
- Enter a description and click Create.
- Copy the key immediately — it starts with
USK_and is shown only once.
Revoking a Key
When a key is compromised or no longer needed, revoke it:
- Open Workspace Settings (for workspace keys) or Profile (for user keys) and select the API Keys tab.
- Find the key and click Revoke.
- Confirm the action.
Revocation is immediate. Any agent using the key loses access instantly. This action cannot be undone — you must generate a new key if you need to restore access.
Best Practices
Use descriptive names
Name keys after their purpose or the agent that uses them. "Slack Support Bot - Production" is better than "Key 1". You will thank yourself when reviewing keys months later.
One key per agent
Give each agent its own API key. This lets you revoke access for a single agent without affecting others, and makes audit logs easier to read.
Rotate keys regularly
Periodically create new keys and retire old ones. This limits the blast radius if a key is leaked without your knowledge.
Monitor usage
Review which keys are active and when they were last used. Revoke keys that have been inactive for an extended period.
Permissions Model
When an agent connects with an API key, it can access skills through the hats in the workspace:
API Key → Workspace → Hats → Skills → ToolsThe agent discovers hats and their skills. Each hat groups a set of skills, and each skill provides access to specific tools. To limit what an agent can access, organize skills into separate hats and assign hats to the appropriate teams. You can also use separate workspaces for different teams or environments.